Alison Davis and Peter Kurtz Port Based Network Authentication in a Lab Environment QUESTNet 2000

Alison Davis and Peter Kurtz Contents Introduction Overview of QUT’s network Technical part of the LAS Project Support part of the LAS Project

Alison Davis and Peter Kurtz Introduction Laptop Access Project started in 1999 Provide Laptop Access in QUT Labs Faster and better access Demand for student labs Economic considerations

Alison Davis and Peter Kurtz Overview of the QUT Network Potential of 34,000 users - 30K students 4K staff x PCs / Workstations 90 Central Servers, 30 x Faculty Servers 2 x WAN ATM Switches 3 x Legacy Routers, 4 x ATM Router Engines 46 x ATM Switches 189 x Ethernet Switches 370 x Ethernet Hubs 48 x Terminal Servers 600 x Digital / Analog Modems

Alison Davis and Peter Kurtz Kelvin Grove Campus 34Mbps Mt Cootha QUT Wide Area Network (Voice/Data) - May 2000 Gardens Point Campus Carseldine Campus 4 x 2Mbps 155Mbps Margaret St Offices 64k UQ 34Mbps PABX AARNET DIALIN ACCESS 6 x 2Mbps 2 x 2Mbps 2Mbps ATM Switch Legacy Router Merivale St PSTN / ISDN Peel St KG Offices (4) Switch 2Mbps Radio Link 2Mbps Radio Links GU 34Mbps USQ Adelaide St 34Mbps

Alison Davis and Peter Kurtz Network Projects 2000 Installing Accellar router switches into the core of data network. VoIP trials Carseldine WAN upgrade to155Mbps Microwave Links reused for redundancy

Alison Davis and Peter Kurtz QUT Wide Area Network (Voice/Data) - Future Mt Cootha Gardens Point Campus Carseldine Campus Kelvin Grove Campus GU 34Mbps 155Mbps 34Mbps 6Mbps 12Mbps ATM Switch Legacy Router AARNET UQ

Alison Davis and Peter Kurtz Current Networking Issues High Availability and High Bandwidth  Integrating voice over the data network Network Performance  Wire speed routing  IP only backbone Network Security  Breach Monitoring within the LAN  Secure Management LAN  Leaf node (port based) authentication

Alison Davis and Peter Kurtz Laptop Access Project Requirements Easy to use authenticated laptop access  Given technical and financial constraints. Network Authentication  Use QUT Access username, password. Network Access and Performance  Same as in a standard public access lab. Before Authentication  Network access must be completely restricted, including other unauthenticated ports.

Alison Davis and Peter Kurtz Possible Client End Solutions Laptop to switch authentication using:  1. Microsoft(NetBIOS) or NetWare Client  2. Browser or telnet Client  3. Extensible Authentication Protocol - EAP Laptop to server authentication  Microsoft or Browser client  Server requests port movement from default VLAN to the authenticated VLAN

Alison Davis and Peter Kurtz Network Authentication Process Laptop/PC Default Port Virtual LAN Authenticated Virtual LAN Central Dynamic Address Allocation Server (DHCP) Network Gateway (Router) Alcatel Ethernet Switch Central Authentication Server (RADIUS) Internal Web and Telnet Server 1 2 3

Alison Davis and Peter Kurtz IP, Gateway Address Primary DNS Secondary DNS - Switch IP Network Authentication Process - Detail DHCP Request Central DCHP Server DHCP Reply 1 2 Switch Internal Web & Telnet Server DNS [QUTAccess ] DNS [Switch IP Addr] Username, Password Auth Successful Central RADIUS Server Front End for Oracle DB ORACLE Database Stores: QUT Access Username Password

Alison Davis and Peter Kurtz Current Solution Specifications ISC DHCP Server Ver 2.0  Internet Software Consortium - RADIUS Server Radiator  Open Systems Consultants - Oracle Database ver 8 with perl DBI ALCATEL Switches  Omnistack 4024,5024, Omniswitch router OSR  Current software GA  Standard Telnet, Netscape, IE 4,5  Win95,98,NT,Win2000, MacOS, Linux

Alison Davis and Peter Kurtz Radius Log Processor - snapshot

Alison Davis and Peter Kurtz Alcatel Solution Switch authentication reliability  software, hardware problems Vendor support was good Scalability is Costly

Alison Davis and Peter Kurtz Future Direction QUT authentication backend change  Directory Service replaces oracle db  User profile detail VLAN  LDAP replace RADIUS Goals for switch vendors  Authentication before DHCP  A solution for Operations Systems apart from Win2K  A solution for all L2 Access - Ethernet & Wireless

Alison Davis and Peter Kurtz From the technical detail to the bigger picture….. Technical Support Usage Cost effectiveness

Alison Davis and Peter Kurtz What other universities are doing User services list March 2000 University of Melbourne CAUDIT list June 2000 Information from 23 universities

Alison Davis and Peter Kurtz Institutional Responses Most universities are at least considering laptop access for students (17/23) à 9 yes à 8 Soon/very small à 6 no Demand has been much lower than expected Many see wireless as the future direction

Alison Davis and Peter Kurtz QUT laptop access areas Law Library. September 1999 Graduate School of Business teaching facilities. Semester Gardens Point Library. June-July 2000 Student superlab – 350 ports – October 2000

Alison Davis and Peter Kurtz Law library usage statistics

Alison Davis and Peter Kurtz Law Library usage statistics (cont)

Alison Davis and Peter Kurtz Law library usage statistics (cont) 21 students successfully used the service 9 students only used it on one day 1 student used it on 23 days Maximum of 5 users on any one day Usage slowly increasing

Alison Davis and Peter Kurtz Support issues Hired laptops (preconfigured) Only connect at QUT laptops (configure once) Modem + QUT connection laptops (minor adjustments) Work laptops. Major adjustments. Hire network cards or USB connectors

Alison Davis and Peter Kurtz Promotion Signage Official launch Position Competition Feedback

Alison Davis and Peter Kurtz

What we’ve learnt Support Demand - convenience Promotion Equity Laptop Security Technical - hardware and management

Alison Davis and Peter Kurtz Likely future Wireless Client software will be inbuilt Interchangable with desktops Establish cost effectiveness Benchmark student access to the university network